Reinventing Windows Security

With the world's most talented hackers all laying in wait for its arrival,
clearly the most critical improvements Microsoft had to make to Windows Vista
centered around its security capabilities. After several vicious viruses successfully
attacked Vista's Windows predecessors over the last few years, Microsoft --
particularly its Trustworthy Computing Group -- was under enormous pressure
to build bulletproof walls around the product.

Stephen Toulouse, senior product manager for the Trustworthy Computing Group,
is one of Microsoft's key people thrust into the middle of this perpetual war
against hackers. During Vista's development process he worked on a number of
security features including kernel patch protection, the Windows Security Center
and Windows Defender, as well as working with partners to ensure their products
would work smoothly with the new security technologies. Toulouse sat down with
Redmond Editor Ed Scannell and Peter Varhol, executive editor, reviews,
to talk about some of the processes Microsoft went through in deciding what
technologies to incorporate, and the new testing procedures those new technologies
went through in order to make it into the final product.

Redmond:How did you determine what security features were going
into Vista? What sort of feedback did you get from enterprise customers about
that?
Toulouse: By the end of 2004 Vista underwent a fundamental reset in terms
of what it was going to be. Part of that reset was what we learned from the
development of [Windows XP] Service Pack 2 [SP2]. In fact, the first steps toward
understanding the larger security picture of Vista were with SP2. In SP2 we
did things like the Internet Explorer lock-down for the local machine zone.
Feedback from users [on SP2] was really around a couple of things. First, they
wanted the code to be fundamentally more resistant to attack. Making sure the
operating system was resistant gave us time to evaluate whether or not we should
apply the update. Second, better security features in the product helped us
tune it to different environments that would help it protect itself.

When in the development cycle did you incorporate new technologies like
BitLocker? Did that come out of SP2 research or independently of it?That was separate. It was done as part of what we could do to take advantage
of some cool technology coming out on the Trusted Platform Modules. At that
time, we were seeing this rash of laptops left in taxicabs with databases of
1 million customers' personal information on [them]. One of the things we thought
we could do was full volume drive encryption to alleviate that problem. But
the problem with encryption systems is they aren't full volume, so [hackers]
can just pull the drive out of the machine and try to brute-force decrypt it.
But BitLocker helps prevent that. That was driven more as a privacy feature
and really intended mainly for corporate laptop users.

As you collected and incorporated feedback from SP2 users plus your own
ideas, how did you determine what security features would work for millions
of users?It's all about hitting a confidence level, striving to define that confidence
level and employing the metrics that determine where you are relative to that
confidence level. With Windows Vista there were three things going on in reaching
that confidence level. Number one, how do we evaluate what we are putting in.
Number two, when do we get to the point where we can share that and trust that
sharing gives us the feedback we need. Number three, what is our safety net
that helps us understand that [feedback] even if we miss something -- are there
still things within the product that can help.

So how did you evaluate what you decided to put in?
How [we] evaluate what goes into a product is what I call the security engineering
part. That's where we use our Security Development Lifecycle [SDL]. Vista is
unique in that it's our first client OS that went through the SDL from beginning
to end. The SDL is now the process under which Microsoft develops all software.
So when a developer is sitting down in his office, he's no longer thinking just
cool feature, cool feature, cool feature. He's thinking as much about the misuse
of the feature as he is the use of it. This is an important mindset change.
Before people were just rushing to make a great feature work well and be stable.
Now they have to think about what an attacker can do with it. It's called Threat
Modeling. If we can't go through this process successfully, then features get
cut.

Was this hard to develop as a discipline for longtime developers?
Well, we started back with SP2 and I think people learned some very hard lessons
thanks to [the] Slammer, Blaster and Sasser [viruses]. Thankfully, the mindset
change had already occurred. But a second piece of all this is BlueHat, which
is independent of the SDL, where we bring in security researchers to poke holes
in functionality right there in front of the same people who developed it. It's
also a good punch in the stomach, as opposed to getting feedback on an intellectual
level.

Were any other fundamental changes made to the development process since
Windows XP?
Another change from Windows XP is when a developer now needs to check in code
by merging it with the main source tree, that code is run against a variety
of tools that scan it. This scanning is looking for banned APIs and unsafe coding
practices. It's not meant to be a catchall, but more of a safety check. If any
code contains these things it gets kicked back out and is not allowed to merge.
Another big change from Windows XP is the sheer, unprecedented number of security
researchers and security companies that we brought into Microsoft to do code
review and penetration testing on the product.

Looking back, do you feel there's anything you missed?
After all the reviews and security testing, it was clear to us and the public
[that] we missed the usability of things like User Account Control. There was
just a wave of criticisms after beta 2. I don't think that feature has fully recovered from the initial criticism. Even
though we spent the next two beta releases addressing it, it still carried a
bad rep in the final product. You have to assume there are some things you're
not going to see. It's a constant battle between usability and security.

It is a tradeoff. The most secure OS is one running on a computer
with no I/O connectivity inside a vault.
I'll go you one better: The most secure OS is the one still on the DVD and that
hasn't been installed anywhere. Let's be clear -- this is the most secure version
of Windows we've done but that does not mean it's hack-proof. We have great
faith in this product and it's only going to get better from here, but delivering
the finished version of Vista doesn't mean we're all taking vacations now.

About the Author

Ed Scannell is the editor of Redmond magazine. Peter Varhol is the executive editor of reviews of Redmond magazine.